2023-11 Authorization request changes
From the 1st of March 2024, the state
parameter in authorization requests will be required, with a minimum length of 8 characters.
What is the state parameter?
The state parameter is part of the authorization request that allows users to authorize an integration to access their store.
Example:
https://secure.retail.lightspeed.app/connect?response_type=code&client_id={client_id}&redirect_uri={redirect_uri}&state={state}
Currently, the state
parameter is supported, included in our Authorization guide, but not required. In case it's provided, we are not validating its length.
Please refer to the Authorization page for more information.
Why are we making this change?
We are making this change to ensure that the state
parameter is always provided, and that it's long enough to be effective in protecting integrations against Cross-Site Request Forgery attacks.
What do I need to do?
Make sure your authorization requests include the state
parameter with a minimum length of 8 characters. It should be a unique, randomly generated, opaque, and non-guessable string.
When you receive the authorization response, make sure that the state
parameter matches the one you sent in the authorization request.